[tex-live] Recommended way to call tlmgr when TeX Live installed with root permissions
skostysh at lyx.org
Mon Sep 1 04:25:06 CEST 2014
On Sun, Aug 31, 2014 at 5:43 AM, Reinhard Kotucha
<reinhard.kotucha at web.de> wrote:
> On 2014-08-31 at 00:15:16 -0400, Scott Kostyshak wrote:
> > On Fri, Aug 29, 2014 at 11:59 PM, Norbert Preining <preining at logic.at> wrote:
> > > Hi,
> > >
> > > On Fri, 29 Aug 2014, Scott Kostyshak wrote:
> > >> Suppose that TeX Live is installed to /opt/texbin and requires root
> > >> permissions to call tlmgr to update the installation. What are the
> > >> recommended ways to call tlmgr? I see two approaches:
> > >>
> > >> 1. call it directly: sudo /opt/texbin/tlmgr (or create an alias)
> > >> 2. add /opt/texbin to root's PATH.
> > >>
> > >> (2) seems to be the most convenient option but I imagine it's
> > >> not a good idea from a security perspective. If this is true,
> > >> could someone outline a case where this would lead to a security
> > >> vulnerability?
> > >
> > > Both are fine. Why should adding /opt/texbin increase the
> > > security vulnerability?
> > >
> > > If someone is already root, he can call /opt/texbin/whatever
> > > without having it in the path.
> > I was thinking more that if an intruder somehow has access to
> > /opt/texbin (without having full root permissions), they could do
> > something like put an executable file "ls" in there and thus trick
> > root into running arbitrary commands (or if PATH precedence would
> > obviate that, then "l" or some common misspelled command). I
> > suppose if they had access to /opt/texbin though, they could modify
> > tlmgr which would cause the same security problem for any
> > solution. Sounds like I'm thinking harder than I need to about
> > this.
> If everything in /opt/texbin is writable by root only then an intruder
> needs full root permissions in order to add or modify files.
> There is no reason to install TeX Live as root at all. You could do
> chown -R skostysh:users /opt/texbin
> and you don't have to be root in order to run tlmgr. It's more secure
> not to run programs as root. Alternatively you can create a dedicated
> account "texadmin". The advantage is that it has its own HOME
> directory and all the trojan horses you already have in your own HOME
> directory are not accessible.
> Please keep in mind: if an intruder is able to modify files on your
> system, you are already lost. Sure, it's worse if he can modify files
> owned by root because root can do things what normal users can't do.
I will think carefully about this. I agree that installing as root
does not seem to provide a benefit and if anything causes trouble.
Thanks for the explanations and advice!
More information about the tex-live